Citrix Internals: ICA Connectivity

20,401 views

Published on

Slides from BriForum London 2014: Citrix Internals: ICA Connectivity

Published in: Technology, Education
2 Comments
20 Likes
Statistics
Notes
No Downloads
Views
Total views
20,401
On SlideShare
0
From Embeds
0
Number of Embeds
240
Actions
Shares
0
Downloads
776
Comments
2
Likes
20
Embeds 0
No embeds

No notes for slide

Citrix Internals: ICA Connectivity

  1. 1. @fdwl #BriForum @entisys Citrix Internals: ICA Connectivity Denis Gundarev, Senior Consultant, Entisys Solutions May 21, 2014
  2. 2. @fdwl #BriForum @entisys Name: ENTISYSDenis Groups: Group1: Bay Area Citrix User Group Group2: Citrix Technology Professional Email: DenisG@entisys.com Twitter: @fdwl [Length: 112] About me 0000 30 45 4E 54 49 53 59 53 5C 44 65 6E 69 73 0D 0A 0ENTISYSDenis.. 0010 31 0D 0A 32 0D 0A 42 61 79 20 41 72 65 61 20 43 1..2..Bay Area C 0020 69 74 72 69 78 20 55 73 65 72 20 47 72 6F 75 70 itrix User Group 0030 0D 0A 32 43 69 74 72 69 78 20 54 65 63 68 6E 6F ..2Citrix Techno 0040 6C 6F 67 79 20 50 72 6F 66 65 73 73 69 6F 6E 61 logy Professional 0050 6C 0D 0A 33 44 65 6E 69 73 47 40 65 6E 74 69 73 l..3DenisG@entis 0060 79 73 2E 63 6F 6D 0D 0A 34 40 66 64 77 6C 0D 0A ys.com..4@fdwl..
  3. 3. @fdwl #BriForum @entisys Agenda  Everything that you need to know about ICA protocol
  4. 4. @fdwl #BriForum @entisys What does ICA stand for? Independent Computing Architecture? ICA = Intelligent Console Architecture!
  5. 5. @fdwl #BriForum @entisys ICA 1.0 - 1992  Originally for Serial connections  IPX and NetBIOS was added later
  6. 6. @fdwl #BriForum @entisys ICA 2.0 - 1992  First Graphical version of ICA  Citrix WinCredible - add-on to Citrix MultiUser  Multiple Operating Systems  OS/2  DOS  Windows 3.1  TCP/IP stack for OS/2 from FTP Software
  7. 7. @fdwl #BriForum @entisys ICA 3.0 - 1995  Introduced in WinFrame For Networks  Thinwire 1, Printing, Client drive mapping, audio, Clipboard  TCP/IP, IPX, SPX, NetBEUI, Serial, Modems  $5,995 for 15 concurrent users
  8. 8. @fdwl #BriForum @entisys PRD – Product Renaming Disorder Before After Core Virtual channels HDX Broadcast Thinwire HDX SmartRendering Virtual Channel fallback HDX Adaptive Orchestration Flash and Windows media redirection HDX MediaStream Server-side flash rendering HDX MediaStream Network Conditions 3D Pro and RemoteFX HDX RichGraphics Bidirectional audio and UDP Audio HDX RealTime Device mapping HDX Plug-n-Play Built-In compression and Branch Repeater HDX WAN Optimization NetScaler session policies HDX SmartAccess
  9. 9. @fdwl #BriForum @entisys ICA Overview The ICA protocol is a protocol optimized for Wide Area Networks or WANs with high latency links. It also supports Quality-Of-Service (QoS) and other bandwidth optimization features. Since this is OSI-Layer 6, what does ICA do for optimization. The ICA packet contains the following headers: Frame Head, Reliable, Encryption, Compression, Command, Command Data, Frame Trail. The command is the only required information. Within ICA are virtual channels for KVM, printing, audio, Drive Mapping, Clipboard, Seamless windows, etc. that can be encapsulated. You can have a max of 32 virtual channels. RDP channels are different. Each channel has a counter-point on the server. These channels sit on top of the ICA Winstation Driver, on top of Protocol driver, on Transport Driver.
  10. 10. @fdwl #BriForum @entisys ICA In Real Life TCP SSL CGP/WinSocks ICA Protocoldriver Framedriver Encryption WinStation Compression AUDIO CLIPBOARD DRIVE PRINTING VIDEO SPEEDSCREEN COM
  11. 11. @fdwl #BriForum @entisys Virtual Channels TCP SSL CGP/WinSocks ICA Protocoldriver Framedriver Encryption WinStation Compression AUDIO CLIPBOARD DRIVE PRINTING VIDEO SPEEDSCREEN COM
  12. 12. @fdwl #BriForum @entisys Virtual Channels Channel Name Priority Description Virtual Driver CTXCAM 0 Client Audio Mapping vdcamN.dll CTXCCM 3 Client COM Port Mapping vdcom30N.dll CTXCDM 2 Client Drive Mapping vdcdm30n.dll CTXCLIP 2 Client Clipboard Mapping vdclipn.dll CTXCM 3 Client Management (Auto-Update) vdcmN.dll CTXCOM1 3 Legacy COM1 Port Mapping vdcom30N.dll CTXCOM2 3 Legacy COM2 Port Mapping vdcom30N.dll CTXCPM 3 Printer Mapping for Spooling Clients vdcpm30N.dll CTXCTL 1 ICA Session Control vdctln.dll CTXD3D 1 Direct3D Virtual Channel Adapter vd3dn.dll CTXEUEM 1 End User Experience Monitoring vdeuemn.dll CTXFLSH 2 Multimedia - Flash vdflash.dll CTXGUSB 2 USB Redirection vdgusbn.dll CTXLIC 1 License Management wfica32.exe CTXLPT1 3 Legacy LP1 Port Mapping vdcpm30N.dll CTXLPT2 3 Legacy LPT2 Port Mapping vdcpm30N.dll CTXMM 2 Multimedia - Streaming vdmmn.dll CTXPASS 2 Transparent Key Pass-Through vdkbhook.dll CTXPN 1 Process Notification vdpnn.dll CTXSBR 1 Citrix Browser Acceleration vdtw30n.dll CTXSCRD 1 Smartcard vdscardn.dll CTXTW 1 Remote Session Screen Update (THINWIRE) vdtw30n.dll CTXTWI 1 Seamless Windows Screen Update (THINWIRE) vdtwin.dll CTXTWN 2 Twain Redirection vdtwn.dll CTXZLC 0 Speed Screen Latency Reduction - Screen vdzlcn.dll CTXZLFK 0 Speed Screen Latency Reduction - Fonts vdfon30n.dll OEMOEM 3 OEMOEM2 3 CTXVFM 1 CTXVFM?
  13. 13. @fdwl #BriForum @entisys Virtual Channels  At client load time, list of channel drivers populated from the registry/.ini file  During the connection client passes information about the virtual channels it supports to the XenApp server.  XenApp Server opens virtual channel.  Data sent using the following two methods:  Polling mode  Immediate mode  VC Server can be on the Client  You can remove unneeded channels (http://www.dell.com/downloads/global/solutions/customization_of_the_citrix_ica_web_client. pdf)
  14. 14. @fdwl #BriForum @entisys Virtual Channels  You can create your own Virtual Channels  https://www.citrix.com/downloads/citrix-receiver/sdks/virtual-channel-sdk.html  http://www.citrix.com/community/receiver-ica-sdks.html  3 examples included in SDK  RDP2TCP – nice example   http://rdp2tcp.sourceforge.net/  Citrix ICA Virtual Channels Backgrounder  http://support.citrix.com/article/CTX116890
  15. 15. @fdwl #BriForum @entisys Dynamic Virtual Channel  Up to 64 Static Virtual Channels (SVCs) for Win32  29 SVCs reserved by Citrix  Android client supports up to 32 SVCs  Dynamic Virtual Channels (or DVCs) are multiplexed over traditional SVCs  To write the DVC component over ICA, Microsoft’s DVC API can be used.  http://msdn.microsoft.com/en-us/library/bb540860(v=vs.85).aspx
  16. 16. @fdwl #BriForum @entisys Virtual Channel Priority  XenApp 6.5 - Implementing ICA Multi-Stream or Multi-Port - Virtual Channel Groups and Priorities  http://support.citrix.com/article/CTX131001  How to Change Virtual Channel Priority in XenDesktop 5  http://support.citrix.com/article/CTX128190  Multi-Stream ICA and Cisco QOS  http://www.citrixirc.com/?p=182  Check the VC utilization using Perfmon  http://support.citrix.com/proddocs/topic/xenapp65-admin/ps-ref-counters-ica-sess-count-v2.html
  17. 17. @fdwl #BriForum @entisys ICA Drivers TCP SSL CGP/Winsocks ICA Protocoldriver Framedriver Encryption WinStation Compression DRIVE PRINTING COM
  18. 18. @fdwl #BriForum @entisys WinStation Driver  Establishes the ICA session  Encodes ICA command information into ICA Packet  ICA packet = Command + Command Data < 2048 bytes  Compresses the ICA packet  Combines or separates compressed ICA packets to 1460 bytes buffers  Determines the priority of each output buffer
  19. 19. @fdwl #BriForum @entisys Compression Driver  Enabled by default  VC-specific compression methods  Be careful with WAN optimization recommendations  Disabled compression + Bandwidth limit = Fail  http://support.citrix.com/article/CTX121353
  20. 20. @fdwl #BriForum @entisys Encryption Driver  Basic. Encrypts the client connection using a non-RC5 algorithm.  http://www.monkey.org/~dugsong/icadecry pt.c.txt  RC5 AKA SecureICA  RC5 (128 bit) logon only. Encrypts the logon data with RC5 128-bit encryption and the client connection using Basic encryption.  RC5 (40 bit). Encrypts the client connection with RC5 40-bit encryption.  RC5 (56 bit). Encrypts the client connection with RC5 56-bit encryption.  RC5 (128 bit). Encrypts the client connection with RC5 128-bit encryption.
  21. 21. @fdwl #BriForum @entisys Framing Driver  Rearranges ICA packets according to priority  Citrix ICA Priority Packet Tagging  http://theether.net/download/Citrix/ICA_Priority_Packet_Tagging.pdf  Fit ICA packets into the frame  Send frames to protocol driver
  22. 22. @fdwl #BriForum @entisys Protocol Driver  Transfers frame to underlying protocol without modification  Result is ICA stream, ready for transmission
  23. 23. @fdwl #BriForum @entisys More Info About ICA  Citrix ICA Virtual Channels Backgrounder  http://support.citrix.com/article/CTX116890  Virtual channel names must not be more than seven characters in length  Configuring Citrix MetaFrame XP for Windows by Syngress et al.  http://amzn.com/1931836531  Citrix ICA Technology Brief  http://web.archive.org/web/20000408170851/http://www.bocaresearch.com/technologies/icate ch.html
  24. 24. @fdwl #BriForum @entisys CGP TCP SSL CGP/WinSocks ICA Protocoldriver Framedriver Encryption WinStation Compression AUDIO CLIPBOARD DRIVE PRINTING VIDEO SPEEDSCREEN COM
  25. 25. @fdwl #BriForum @entisys What does CGP stand for?  Certified Guitar Player  Common Gateway Protocol  Formerly known as Citrix Gateway Protocol
  26. 26. @fdwl #BriForum @entisys Common Gateway Protocol  CGP = binary protocol designed for efficient tunneling of one or more TCP streams  Used by Session Reliability  Based on SOCKS proxy protocol
  27. 27. @fdwl #BriForum @entisys What is SOCKS  SOCKS is a generic, proxy protocol for TCP/IP based networking application.  SOCKS consists of two parts: SOCKS server and SOCKS client.  SOCKS server can communicate directly with both the Internet and the internal computers.  SOCKS client contacts the SOCKS server instead of sending requests directly to the Internet
  28. 28. @fdwl #BriForum @entisys SOCKS Connection TCP ServerUser SOCKS Proxy SOCKS Request TCP Connect SYN TCP Connect ACKSOCKS Reply DATA DATA DATADATA
  29. 29. @fdwl #BriForum @entisys Secure Gateway Proxy/NetScaler Gateway Next Hop  Unauthenticated SOCKS, tunnels any TCP traffic  When configured with a certificate, the Secure Gateway Proxy/NetScaler Gateway Next Hop expects traffic to be SOCKS+SSL on port 443
  30. 30. @fdwl #BriForum @entisys What is the difference between CGP and SOCKS?  CGP is completely different protocol, but share the same idea   CGP support ticket-based authentication and addressing  CGP server sends keep-alive messages (60 sec by default)  CGP drop TCP connection without response if ticket is invalid  CGP support TCP Multiplexing, but it’s not really used  SOCKS is still in Citrix Products
  31. 31. @fdwl #BriForum @entisys Ticket Types Name Issued by Purpose Logon Ticket XenApp Data Collector/ XenDesktop Controller Authenticate user to ICA session; ticket replaces user credentials LogonTicket=34B79930FBFC20BEF54D597A6A1595 LogonTicketType=CTXS1 ACR Ticket XenApp Server/ XenDesktop VDA Allow reconnection via Auto Client Reconnect without requiring user to enter credentials, stored in memory of the client Gateway Traversal Ticket (v1) AppController Allow ICA connection through SOCKS; ticket replaces destination server address Common Gateway Protocol Token Citrix XTE Service/ICA-CGP Listener Allow reconnection via Auto Client Reconnect without requiring user to enter credentials, stored in memory of the client Gateway Traversal Ticket (v4) XenApp ctxsta.dll or XenDesktop Broker Service Allow ICA connection through Gateway with Session Reliability; ticket replaces server address Address=;40;STA403126471;54D2368FFFD32A448EA55350100553
  32. 32. @fdwl #BriForum @entisys Session Reliability  Explaining ICA Session Reliability, Common Gateway Protocol, on TCP Port 2598  http://support.citrix.com/article/CTX104147  Session Reliability, Frozen Screens and The Hourglass of Death By Nick Rintalan  http://blogs.citrix.com/2013/01/23/session- reliability/ 
  33. 33. @fdwl #BriForum @entisys CGP Implementations: XTE Service  Extensible Transformation Engine (XTE) is an Apache-based proxy server that support:  CGP  SOCKS  HTTP  All of the above over SSL  Can be seen on XenApp <= 6.5 and XenDesktop <=5.x as Citrix XTE Service providing:  Session Reliability  SSL Relay  Password Manager Service  Universal Print Server
  34. 34. @fdwl #BriForum @entisys CGP Implementations: RDS Listeners
  35. 35. @fdwl #BriForum @entisys CGP Implementations: CSG  Gateway between an SSL enabled ICA client and XenApp Servers  Tunnels ICA/CGP traffic inside SSL  Citrix Secure Gateway is a deprecated component that is still supported for XenApp 6.5  Similar to XTE Service, based on Apache  Basically XTE + 3 additional Apache modules + GUI  Supports STA Ticketing Authentication
  36. 36. @fdwl #BriForum @entisys STA Ticket Request  The following data are included as part of the ticket request sent by the Web server:  User name and domain name  Published application name  Least-busy Presentation Server address <?xml version="1.0" encoding="UTF-8"?> <!--DOCTYPE CtxConnInfoProtocol SYSTEM "CtxConnInfo.dtd"-- > <CtxConnInfo version="1.0"> <ServerAddress>192.168.1.176:1494</ServerAddress> <UserName>fdwl</UserName> <UserDomain>corp</UserDomain> <ApplicationName>XA75 $S4-5</ApplicationName> <Protocol>ICA</Protocol> </CtxConnInfo>
  37. 37. @fdwl #BriForum @entisys STA Ticket Response  The encoding format is a string of the form:  ;STA_VERSION;STA_ID;TICKET  STA_VERSION. 40 for XenApp and XenDesktop. 10 for AppController.  STA_ID is a sequence of 0 – 16 characters usually generated from the MAC address. Each STA ID must be unique. This allows the gateway to locate the STA that created the ticket and return to that STA for ticket validation.  TICKET is a randomly-generated sequence of 32 uppercase alphabetic or numeric characters.  Example:  ;40; STA403126471;FE0A7B2CE2E77DDC17C7FD3EE7959E79 <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE CtxSTAProtocol SYSTEM "CtxSTA.dtd" > <CtxSTAProtocol version="1"> <ResponseTicket> <AuthorityID authorityType="STA-v1"> STA403126471 </AuthorityID> <Ticket ticketType="STA-v1">245489CECBC3CAA3B88446F12FF80B6A</Ticket> <TicketVersion>40</TicketVersion> </ResponseTicket> </CtxSTAProtocol>
  38. 38. @fdwl #BriForum @entisys CGP Implementations: NetScaler Gateway/Access Gateway  ICA Proxy Mode  The Only supported gateway for XenDesktop 7.x  ICA Proxy Session Migration in 10.1
  39. 39. @fdwl #BriForum @entisys WebSockets  “SOCKS over HTTP”  HTTP Upgrade  TCP 8008 by default, but can be changed  <html5 enabled="Always" platforms="Force" launchURL="clients/HTML5Client/src/Session Window.html“ preferences="wsPort:8080" singleTabLaunch="true" chromeAppOrigins="chrome- extension://haiffjcadagjlijoggckpgfnoeiflne m" />  XTE Service on XA 6.5  HRP3 is required for StoreFront 2.x  RDS Listener ICA-HTML5 on XD 7.x Server OS  ICA Service on XD 7.x Client OS
  40. 40. @fdwl #BriForum @entisys Direct connection Component Connecting to Session Reliability Protocol TCP Port ICA Client version 8.0 or later XenApp Server/XenDesktop VDA Enabled ICA in Common Gateway Protocol 2598 ICA Client version 8.0 or later XenApp Server/XenDesktop VDA Disabled ICA 1494 HTML5 Receiver XenApp Server/XenDesktop VDA N/A ICA in WebSockets 8008
  41. 41. @fdwl #BriForum @entisys One hop DMZ Component Connecting to Session Reliability Protocol TCP Port ICA Client version 9.0 or later Secure Gateway/Access Gateway/NetScaler Enabled ICA in Common Gateway Protocol in SSL 443 ICA Client version 9.0 or later Secure Gateway/Access Gateway/NetScaler Disabled ICA in SSL 443 HTML5 Receiver Secure Gateway/Access Gateway/NetScaler N/A ICA in WebSockets in SSL 443 Secure Gateway/Access Gateway/NetScaler XenApp Server/XenDesktop VDA Enabled ICA in Common Gateway Protocol 2598 Secure Gateway/Access Gateway/NetScaler XenApp Server/XenDesktop VDA Disabled ICA 1494
  42. 42. @fdwl #BriForum @entisys Dual hop DMZ Component Connecting to Session Reliability Protocol TCP Port Secure Gateway/Access Gateway/NetScaler in DMZ1 Secure Gateway/Access Gateway/NetScaler in DMZ2 with SSL N/A SOCKS in SSL 443 Secure Gateway/Access Gateway/NetScaler in DMZ1 Secure Gateway/Access Gateway/NetScaler in DMZ2 without SSL N/A SOCKS 1080
  43. 43. @fdwl #BriForum @entisys Multi-Stream ICA
  44. 44. @fdwl #BriForum @entisys Multi-Stream ICA Citrix Receiver for Windows XenDesktop Windows 7 HTTP Server Router ICA Real Time HTTP HTTP ICA Interactive ICA Background ICA Bulk ICA Real Time ICA Interactive ICA Background ICA Bulk ICA UDP/RTP Audio * ICA UDP Audio * * UDP/RTP Audio initially only in VDI FlexCast model (XenDesktop)
  45. 45. @fdwl #BriForum @entisys Multi-Stream vs. Multi-Port ICA  Single-port, Multi-Stream ICA  4 random ports at client, 1 primary port on server  Multi-port, Multi-Stream ICA  4 random ports at client, 1 primary and up to 3 secondary ports on server  Single-port, Single-stream ICA  1 random port at client, 1 primary port on server  The default connection type  Multi-Stream with NetScaler  4 random ports at client, 1 primary port on NetScaler VIP  4 random ports at NetScaler SNIP/MIP, 1 primary and up to 3 secondary ports on server
  46. 46. @fdwl #BriForum @entisys Multi-Stream ICA
  47. 47. @fdwl #BriForum @entisys Multi-Stream ICA  XenApp 6.5 - Implementing ICA Multi-Stream or Multi-Port - Virtual Channel Groups and Priorities  http://support.citrix.com/article/CTX131001  Very High (numeric 0): Real time channels, such as audio and webcam conferences  High (numeric 1): Interactive channels, such as graphics, keyboard, and mouse  Medium (numeric 2): Bulk channels, such as drive mapping, scanners, USB redirection, clipboard, Flash  Low (numeric 3): Background channels, such as printing, COM port mapping, LPT port mapping  Requirements:  XenDesktop 5.5+  XenApp 6.5+  Receiver 3.0+
  48. 48. @fdwl #BriForum @entisys UDP Audio  Speex codec  Real-time Transport Protocol (RTP)  Quality must be set to Medium  Not using ICA or CGP  Citrix Receiver creates a listener on a client device during session initialization  Not supported with NetScaler
  49. 49. @fdwl #BriForum @entisys SSL TCP SSL CGP/WinSocks ICA Protocoldriver Framedriver Encryption WinStation Compression AUDIO CLIPBOARD DRIVE PRINTING VIDEO SPEEDSCREEN COM
  50. 50. @fdwl #BriForum @entisys SSL  Citrix uses custom SSLSDK library to wrap native OS SSL functions and form Secured Socket  Recommended for every connection  SSL Relay is no longer available in XenDesktop 7.x, Use IPSec to enforce encryption  Wildcard and SAN certificates are supported
  51. 51. @fdwl #BriForum @entisys SSL on NetScaler  SNI (Server Name Indication) is not supported by Receiver yet.  NetScaler VPX does not support TLS 1.1 and TLS 1.2  Always add CA certificates chain to vserver
  52. 52. @fdwl #BriForum @entisys Q&A

×